1 Answer
1

In general, I'd advise against creating your own scheme even if it uses accepted algorithms. Your case sounds like it is easily served with standard SSL, perhaps with client-side certificates as well as server-side.

If you go and use an encryption algorithn directly, without some widely accepted scheme around it, you're opening up to a whole range of attacks that you can't possibly think of all by yourself.

For instance, say you would just encrypt the string and transmit it over HTTP. An eavesdropper would not be able to decrypt it, but could save it and re-send it at a later time. Also, any scheme that doesn't introduce a freshness property, such as timestamp or nonce, will be susceptible to statistical attacks on those strings, especially if they contain text in a known language.

If there is no reason why normal SSL, perhaps coupled with authentication in the application, would work, the stick to that.